Bug Hunter Finds Another IE Hole
Bulgarian bug hunter Georgi Guninski last week discovered yet another vulnerability in Microsoft Corp.'s Internet Explorer Web browser that could let an attacker take control of a victim's machine.
The vulnerability basically allows attackers to execute malicious code on a victim's computer by exploiting .chm files -- a compressed help file format. According to Guninski, the browser vulnerability allows attackers to find and access temporary Internet files on other users' machines. Temporary Internet files are cached copies of Web pages that Explorer stores on a user's hard disk. Caching allows the page to be loaded faster the next time the user visits the page.
The vulnerability allows attackers to find such temporary files on another user's machine and to cache .chm files in them. The .chm files can then be used to execute malicious code. Attackers could potentially take full control of a victim's machine in this manner, Guninski said.
The chances of the vulnerability being exploited are slim, said Russ Cooper, an analyst at TruSecure Corp. in Reston, Va.
Users who follow basic security procedures -- such as disabling scripting and not opening executable files from unknown persons -- should remain fairly safe, according to Cooper.